[00:09.090 --> 00:15.270]  Hello, everybody. Welcome back to the continuation of the OpenSOC CTF Tools.
[00:15.430 --> 00:23.510]  Our next speaker, Tim Dot Zero, a.k.a. TJ, a.k.a. Tim Johnson, will be giving us a walkthrough of the Kibana tool.
[00:23.810 --> 00:29.330]  This product is near and dear to my heart, being an elastic engineer, and hopefully everybody enjoys it.
[00:29.330 --> 00:34.290]  If you have questions, hit us up in the text WORKSHOP TRACK 1, channel again.
[00:34.290 --> 00:41.730]  We will try to redirect you as best as possible. There's also the Recon InfoSec Discord channel that you can go into.
[00:41.830 --> 00:49.050]  There is actually a section that, unfortunately, I didn't write down, Tim, but ask for help, I think.
[00:49.190 --> 00:52.350]  Yeah, you can ask for help from other OpenSOC veterans.
[00:52.850 --> 00:58.670]  Yeah, so definitely take advantage of the Discord channels that are out there so you can get more directed help.
[00:58.670 --> 01:04.130]  At this point, I'm going to turn it over to TJ and sit back and relax.
[01:05.590 --> 01:10.970]  Hey, how's it going, everybody? We're very excited about OpenSOC this year.
[01:10.970 --> 01:16.750]  We got new scenarios, got some new tools for you to use, and we got some tools that you already know about.
[01:16.750 --> 01:23.570]  But for those of you who are attending DEF CON for the first time or participating in OpenSOC for the first time,
[01:23.570 --> 01:27.230]  we're going to get you familiar with those tools and show you what kind of weapons you have in your arsenal.
[01:29.630 --> 01:34.370]  Like he said, my name is TJ, aka Tim.0 on Twitter.
[01:34.590 --> 01:40.370]  You can hit us up anytime. We'll retweet you, we'll talk to you, we'll get in our Discord,
[01:40.370 --> 01:43.790]  and we'll try to help you out, try to make you better hunters.
[01:44.110 --> 01:48.450]  But without further ado, we're going to jump into some Kibana.
[01:50.710 --> 01:57.090]  So right when you log into Kibana, you're going to actually see this screen here.
[01:58.850 --> 02:04.150]  And it's no different than if you've used Greylog before or other tools like this.
[02:04.250 --> 02:10.750]  It's a UI for your Elasticsearch database on the back end, and it helps you visualize your Elasticsearch data.
[02:11.590 --> 02:20.410]  And here you'll be able to create indexes to filter out and look through all of your agents pushing logs to your Logstash server.
[02:21.670 --> 02:28.090]  And that's just a little background. I won't teach you about the tool because I don't work for Elastic, but I do love this tool.
[02:29.170 --> 02:35.550]  So first off, I'd like to tell everybody the disclaimer. Do not ever forget your time frame.
[02:36.170 --> 02:45.450]  You've got to pay attention to the time filter. So you're going to get intel drops, you're going to get information saying that a particular event happened at a particular time.
[02:45.450 --> 02:48.770]  And you've got to make sure that you're looking for events during that time.
[02:50.350 --> 02:57.250]  So right up here in the right corner here, you're going to see your... by default, it'll open up and load as last 15 minutes.
[02:57.250 --> 03:04.270]  And if you click that right there, it'll actually provide you, by default, some of the quick...
[03:04.910 --> 03:10.210]  Hey, I just want to look at the last week. Hey, I just want to look at the last month. Oh, this happened in the last 30 minutes.
[03:10.790 --> 03:18.430]  Obviously, because we're hunting on a non-live environment, we want to look pretty specific, right?
[03:19.090 --> 03:23.410]  So you're going to go in here and you can pick your time and your date here.
[03:23.410 --> 03:29.690]  And the cool thing about it, if you notice that I clicked a date, it zeroes out the start time.
[03:30.790 --> 03:36.270]  And if you click another date, it pulls it down to 2359 where it's the end of the day.
[03:37.070 --> 03:44.370]  That's a very useful tool there because you're going to be looking at a lot of different time frames and we want to make sure that you're getting the right data.
[03:44.550 --> 03:48.310]  So pay attention to your time frame because you don't want to hunt in the wrong place.
[03:49.130 --> 03:54.730]  Also, you'll go back and forth in between your hunts into different time frames.
[03:54.850 --> 03:58.490]  And this will actually show you some of the last ones you picked.
[03:58.490 --> 04:02.610]  So it makes it a lot easier on you to jump between one time frame and another.
[04:04.510 --> 04:06.050]  But we'll keep pushing.
[04:07.570 --> 04:15.930]  One of the things I like about Kibana is for the not so seasoned hunter.
[04:15.930 --> 04:20.590]  When I first started, Kibana was a great tool for me to try to learn and understand.
[04:20.770 --> 04:26.250]  Because you get to understand based on the data that you're given.
[04:26.250 --> 04:28.030]  You're looking at all your logs right here.
[04:28.030 --> 04:32.110]  So in the last 15 minutes, I'm looking at 131,000 logs.
[04:32.110 --> 04:37.130]  So I usually just start off by looking at some of the stuff that I'm seeing here.
[04:37.570 --> 04:40.270]  But you'll notice that you're getting logs from different sources.
[04:40.270 --> 04:45.850]  So here we got this type here showing that it's a log.
[04:46.450 --> 04:51.530]  But you might also filter that out and say, what other type of logs do I have here?
[04:54.530 --> 05:02.890]  And you open that up and you can see I use this little magnifying glass as you filter or you hover over some of these fields here.
[05:02.890 --> 05:09.410]  You can go and add and say I want to filter for that value and I want to take out that value.
[05:09.470 --> 05:20.410]  And you'll see that that value for the log type is actually filtered out and I'm only seeing now syslogs.
[05:22.130 --> 05:26.350]  So if you would, I like to call this the point-and-click hunt method.
[05:26.350 --> 05:33.250]  You can actually go through here and be like, well, I don't want to see DESPORT 3306 and take it out.
[05:33.470 --> 05:36.770]  And as you do that, you'll see your filters just pile up here.
[05:37.510 --> 05:42.970]  And if you want to, you can actually go and start adding your own filters from scratch.
[05:57.670 --> 06:08.710]  So you might not have a range of IPs or a specific IP that you know is just a distractor or maybe just noise or for your specific hunt, you don't want to see that traffic.
[06:08.710 --> 06:14.750]  So you can go in here and select that IP and say I don't want to see anything from that IP address.
[06:15.150 --> 06:18.050]  And you'll see my events drop because it took them out.
[06:21.770 --> 06:29.990]  Also, columns. Looking at this view here, you can see that right now all I see is the time and the source.
[06:30.870 --> 06:38.470]  But what if you want to see in a single view source IP or maybe the DESP IP?
[06:38.470 --> 06:46.850]  You can actually go through and here are all your columns that you could create based off of the fields in each of these logs.
[06:52.540 --> 07:00.720]  Another thing you can do is if you open up a log and you say, well, there's my DESP IP there.
[07:00.720 --> 07:05.140]  You see this small icon here that looks like a column.
[07:05.680 --> 07:14.680]  If you click that there, it automatically throws it up into the DESP IP column on this table.
[07:15.460 --> 07:20.640]  So now as you start narrowing down your hunts, you see the data that's pertinent to you.
[07:20.640 --> 07:27.060]  I'm looking for this specific actor talking to this specific network resource because it shouldn't be happening.
[07:27.060 --> 07:34.680]  Because the ultimate goal here, right, when you're hunting is to make this number as small as possible in your searches.
[07:35.740 --> 07:40.400]  Because you know for a fact that that's activity that should not be happening.
[07:41.880 --> 07:50.180]  Now, obviously, as you go, you're going to see some traffic that you need to deconflict and say, well, that is legit traffic and I don't want to see it.
[07:50.400 --> 07:52.740]  That's when I recommend building those filters.
[07:52.740 --> 08:01.720]  So as you go through, make sure you create filters for things that you don't find necessary in your searches.
[08:04.020 --> 08:12.540]  Moving on here, we're going to talk about how to query in Kibana.
[08:12.540 --> 08:22.940]  So, Kibana uses Lucene query language. If you're not familiar with it, there's lots of data out there on it.
[08:22.940 --> 08:27.400]  But the primary information you need to know about it is the operators that it uses.
[08:29.020 --> 08:36.640]  So, for example, let's say there's two specific IP addresses that you care about.
[08:36.680 --> 08:39.640]  And we'll look at these two here.
[08:40.720 --> 08:46.980]  So you want to know when and if these two machines here we're talking.
[08:47.940 --> 08:57.240]  So, what you can do is, you want to say source underscore IP.
[09:10.950 --> 09:17.380]  Source IP is that.
[09:19.540 --> 09:25.400]  And specifying that it has to match that operator.
[09:25.400 --> 09:29.720]  So you're saying it has to match this IP here.
[09:29.720 --> 09:32.600]  Otherwise, you don't want to see it.
[09:39.510 --> 09:47.070]  Boom. So you're saying those devices have never talked to each other in the last 15 minutes.
[09:47.070 --> 09:53.990]  Now, what if you say, well, I just want to know when this IP has talked to anybody.
[09:54.510 --> 09:58.590]  And when this IP, anybody's talked to it. Either or.
[09:58.950 --> 10:04.290]  So that's when you just drop change that and to an or operator.
[10:07.290 --> 10:11.530]  And now you're going to see that IP as the source.
[10:14.100 --> 10:19.980]  Somewhere down the line you'll see the other IP as the dest in a lot of the traffic.
[10:21.360 --> 10:26.320]  So, you just have to pay attention to some of your syntax.
[10:26.720 --> 10:31.340]  Again, there's a few things you want to consider.
[10:31.760 --> 10:34.560]  Lucene does use regex.
[10:35.020 --> 10:43.680]  So, what you might do is, maybe there's a file called evil file that you know about.
[10:43.680 --> 10:52.580]  You had an Intel drop and they say, hey, I need to go find, I know they clicked on a document and someone executed evil file.
[10:53.260 --> 10:55.720]  So, how would you search for that, right?
[10:55.920 --> 11:02.840]  Well, in Kibana, you can actually say, well, I just want to see anything called evil file.
[11:03.980 --> 11:09.740]  Okay. That's in the last 15 minutes. Maybe the last 24 hours.
[11:19.210 --> 11:21.450]  Nope. Nothing. Okay.
[11:21.450 --> 11:29.470]  So, what if I want to use regex? Well, because evil might be capitalized, or file might be capitalized.
[11:30.030 --> 11:49.590]  So, what you would do here, you specify here that you're throwing in some regex, and then here, wildcard, here, wildcard, and then do your search.
[11:51.880 --> 11:54.760]  Now, the problem is, there is no evil file.
[11:56.320 --> 12:03.960]  So, but what if you wanted everything in the last hour with the word file?
[12:04.400 --> 12:17.760]  Okay. So now, if you pull down here, it's referencing FileBeat.
[12:19.780 --> 12:25.520]  And mostly, you're going to see FileBeat because that is the agent that's pushing these logs to you.
[12:25.520 --> 12:31.540]  Okay. Well, let's take out FileBeat because I know that's my agent. I don't need to look at that.
[12:31.660 --> 12:33.720]  So, I go and filter that out.
[12:34.460 --> 12:37.260]  The negative sign magnifying glass.
[12:41.230 --> 12:48.490]  So, now, is there anything else referencing file? Program files.
[12:48.730 --> 12:54.530]  Oh, I didn't specify that I wanted it to end in file that wasn't plural.
[12:56.390 --> 13:02.590]  So, that's some of the things you've got to pay attention to. If you're really good with regular expressions, that can be helpful.
[13:02.950 --> 13:10.470]  Also, you can come in and specify that... because right now, I just said lowercase F, right?
[13:10.610 --> 13:16.130]  But what if you want to tell in regex, it could be also uppercase F.
[13:19.380 --> 13:27.400]  And as you notice, I'm getting pretty specific with the regex and already my events in the last hour have dropped down to 12,000.
[13:28.300 --> 13:37.580]  And our goal at the end of the day is to make our events as little as possible so you can start narrowing down the bad.
[13:41.690 --> 13:43.970]  Alright. So, another useful tool.
[13:44.810 --> 13:52.220]  So, sometimes you're going to come across logs that don't have the data that you're looking for.
[13:53.940 --> 13:56.900]  I see destip with an empty field here.
[13:56.940 --> 14:01.980]  Sometimes you're going to see message fields with an empty field. Sometimes you're going to see file paths with an empty field.
[14:02.840 --> 14:09.020]  Sometimes that's something worth looking at, but sometimes you're like, I really need to know the file path. I really need to know the destip.
[14:09.020 --> 14:13.040]  So, we'll use destip as the example here.
[14:13.120 --> 14:15.500]  So, I'll pick a source IP.
[14:24.620 --> 14:33.200]  So, what I'm saying here is I want to know when this system talks to anybody.
[14:33.380 --> 14:42.060]  Because if I just search that there, I will still see this log with no destination IP.
[14:43.660 --> 14:49.000]  But, I want something with some data.
[14:49.000 --> 14:55.080]  So, what I'll do here is an exist operator.
[15:04.320 --> 15:14.900]  And now I'm saying I want to know when that IP is the source and the destip has content in the field.
[15:15.420 --> 15:17.200]  So, let me update that up.
[15:17.400 --> 15:26.900]  So, what does that tell me? That tells me that system never talked to anybody or there's no log of that system talking to anybody in the last hour.
[15:27.180 --> 15:32.820]  We can go back a week and let's see if we find anything. Nope.
[15:33.620 --> 15:44.880]  So, that might be worth looking into because you've now got a log of this system talking, but what is it doing?
[15:44.880 --> 15:49.840]  So, that might be worth investigating. Obviously, if Intel provides that kind of content.
[15:50.920 --> 15:52.520]  Let's push here.
[15:55.550 --> 15:58.350]  Let's talk about what else you could search.
[15:58.550 --> 16:04.390]  So, important artifacts, right? Hashes, imp hashes.
[16:05.110 --> 16:15.290]  The way that, and I forgot to tell you this at the beginning, but Kibana is actually showing you the same data that Greylog is showing you.
[16:15.290 --> 16:30.750]  As you can see by the index here, there's one single index, which on other instances of your ELK stack, you might see multiple index patterns that are saying that I'm getting logs from multiple different sources.
[16:30.750 --> 16:37.150]  But for the OpenSock range, this tool is actually pointing to the same data that Greylog is pointing to.
[16:37.150 --> 16:44.550]  So, disclaimer, if you use Greylog, if you use Kibana, you can choose what you feel more comfortable with.
[16:46.350 --> 16:50.950]  What you find easier to use, but they're both showing the same data.
[16:52.030 --> 17:03.170]  So, but I will say the way that Greylog is parsing this data is different than how Kibana is getting this data parsed in.
[17:03.170 --> 17:14.830]  So, you have to consider, if you're looking for an imp hash, there's a possibility, there's a field for it in Greylog, and there's a possibility that there's not a field for it here.
[17:15.290 --> 17:22.930]  They do exist. So, why are imp hashes important? Well, find out.
[17:25.520 --> 17:37.200]  So, what I'm doing here is I'm actually just looking for any imp hash and find out what field that data is in, because there is no imp hash field.
[17:44.010 --> 17:51.610]  So, I've got a few hits on it. Right now, no source and destination IPs, but let's go ahead and expand a log and see what we're looking at.
[17:54.570 --> 18:06.350]  So, we've got a driver called agent.exe and remote IPs, and we've got an imp hash for this file.
[18:06.350 --> 18:15.490]  Now, if you deem this file to be bad at any point, then you now got the imp hash for it and you can find every execution of it.
[18:15.490 --> 18:24.750]  So, that's another quick artifact, but all I did was search the word imp hash, and I found all the logs that have imp hashes associated with it.
[18:24.750 --> 18:32.570]  Now, you're going to have to do some more digging and filtering because, obviously, you're going to find a file with an imp hash that could be legit.
[18:32.970 --> 18:39.270]  So, just something to consider. That's just a plain text query there.
[18:40.790 --> 18:49.920]  Also, more basic, if you're looking for event IDs, everybody knows what a 4624 is.
[18:50.740 --> 19:00.720]  And if you don't, get your event IDs out, Google a sheet of the top event IDs to keep an eye on.
[19:00.720 --> 19:08.800]  Microsoft has a sheet from severity levels that's important to look at.
[19:09.540 --> 19:18.820]  But if you look here, I just looked for all the 4624s for this week, and I'm now looking at all the logons.
[19:18.980 --> 19:21.940]  Successful logons. You've got security IDs.
[19:23.100 --> 19:30.020]  And something I failed to mention, you want to pay attention to the message column here.
[19:30.020 --> 19:36.300]  So, what I like to do is keep the... I'm going to pull this out here.
[19:36.300 --> 19:40.680]  Go down to the message field and actually filter out for that column.
[19:41.100 --> 19:53.540]  Because now, I can just scroll down and start looking through and saying, hey, this is some stuff, but I don't care about S100, Sid.
[19:54.140 --> 19:55.940]  I don't care about that.
[19:57.460 --> 20:00.500]  So, let's see how we can filter that out.
[20:03.620 --> 20:05.280]  So, not.
[20:07.240 --> 20:08.440]  Excuse me.
[20:09.160 --> 20:10.360]  And not.
[20:36.710 --> 20:45.830]  There we go. I just took out all the S100s, and now I can start seeing some other security IDs that have logged in.
[20:45.870 --> 20:52.050]  And if you want, you can go down and start narrowing down the system names. There's your host names there.
[20:52.050 --> 21:00.050]  And you can say, I don't care about ACC1. That guy's a good guy. Let me keep moving. But I do care about...
[21:01.010 --> 21:02.210]  Let's maybe say...
[21:04.170 --> 21:05.790]  Who we got here?
[21:06.330 --> 21:07.890]  Under host name.
[21:08.910 --> 21:17.330]  Oh, that's ACC101 again. But you get the drift, right? I'll filter out for ACC... that was the username, but same difference.
[21:19.890 --> 21:22.550]  So, I've now filtered out for ACC1.
[21:22.550 --> 21:28.030]  I said, I want to see 4624s, but I don't care about S100.
[21:29.650 --> 21:31.650]  That's how you would do that there.
[21:32.170 --> 21:40.970]  You can get a little bit more complex here and start looking at data paths and file paths and image path names.
[21:41.570 --> 21:43.030]  So, let's look at...
[21:43.550 --> 21:45.590]  Let me pull this out here.
[21:46.250 --> 21:47.530]  Flip to a new one.
[21:50.370 --> 21:50.850]  And...
[21:51.830 --> 21:52.890]  I want to see...
[21:54.110 --> 21:55.590]  Let's just look at...
[21:56.650 --> 21:58.150]  System on here.
[21:59.450 --> 22:01.430]  Let's just look at Beats logs.
[22:02.190 --> 22:03.970]  So, I'm going to say, I want to see...
[22:09.710 --> 22:17.010]  Here we go. Something to keep in mind, Beats, right? Beats are the agents that are actually shipping the logs to your log stash.
[22:17.830 --> 22:24.410]  Now, keep in mind, Winlogbeat, Windows event logs, security, application, then you've got your PowerShell logs.
[22:24.410 --> 22:28.250]  Everybody knows PowerShell is always good, but you might want to look at it anyway.
[22:28.490 --> 22:29.290]  Hint, hint.
[22:29.630 --> 22:34.810]  So, what I'm going to do here is go ahead and filter out and say, I just want to see Winlogbeat logs.
[22:39.240 --> 22:40.000]  And then...
[22:47.140 --> 22:50.180]  I want to search for a specific event ID.
[22:51.020 --> 22:55.000]  Or, you know, better yet, let's see if we can start filtering for different file paths.
[22:55.000 --> 22:58.740]  So, let's find the file path field.
[23:15.350 --> 23:16.510]  Here we go.
[23:16.670 --> 23:20.150]  Very minimal logs, right? Where the file path exists.
[23:20.410 --> 23:25.330]  So, here's the file path. I've got users, I've got folders here.
[23:25.330 --> 23:29.570]  But I want to just know where this user here might have looked at...
[23:30.990 --> 23:36.170]  Or what files this user has actually executed, or file created, right?
[23:36.170 --> 23:39.450]  So, let's say I want to filter by file create.
[23:39.450 --> 23:40.910]  So, I go here.
[23:42.630 --> 23:48.470]  And I can either say in a specific path, or I can say a specific user.
[23:48.470 --> 23:52.890]  But I want to know when anything, let's say, created in this AppData path here.
[24:18.080 --> 24:20.360]  So, I'm going to do a regex here.
[24:28.350 --> 24:28.910]  Say...
[24:28.910 --> 24:30.190]  Anything.
[24:31.350 --> 24:34.190]  And then close my regex.
[24:34.250 --> 24:35.370]  Anything.
[24:38.960 --> 24:43.940]  And then, because it's regex, you've got to escape your characters.
[24:47.380 --> 24:53.680]  And we'll take out... for simplicity.
[25:11.570 --> 25:13.070]  There we go.
[25:13.270 --> 25:15.190]  That's a hefty one there.
[25:15.330 --> 25:19.970]  But, I'm down to 32 events in the last 15 minutes, right?
[25:19.970 --> 25:25.930]  That, right there, is I've now narrowed down every time a file was created by Claudia Davis,
[25:25.930 --> 25:28.510]  or maybe not by Claudia Davis, just in her path.
[25:30.490 --> 25:32.210]  In the AppData path.
[25:32.210 --> 25:34.410]  And what's in AppData? Temp folders.
[25:34.410 --> 25:36.930]  So, keep that in mind. Keep going.
[25:39.550 --> 25:41.410]  So, something else you can do.
[25:42.410 --> 25:47.690]  And, if you come across a query, like this hefty one here, that maybe sometimes,
[25:47.690 --> 25:51.270]  oh, I want to just swap out the user and use that search over again.
[25:51.310 --> 25:53.430]  You could just copy and paste it to a text file.
[25:53.430 --> 25:58.410]  Or, you can get real fancy with it and go and start saving some of your searches.
[25:58.410 --> 26:04.110]  And so, Claudia Davis file create.
[26:04.110 --> 26:04.910]  Great.
[26:06.370 --> 26:08.390]  So, you confirm that.
[26:08.890 --> 26:15.150]  And, at any given time, you start opening up a fresh Kibana page.
[26:17.170 --> 26:20.950]  You can go in and say, where's my search?
[26:20.950 --> 26:23.410]  Oh, there we go. Claudia Davis.
[26:23.410 --> 26:29.310]  Because now I want to look at James Brown, or I want to look at Kanye West.
[26:29.410 --> 26:32.830]  So, that's some of the things you want to start doing as you go,
[26:32.830 --> 26:34.550]  because you're going to use these queries over again.
[26:34.550 --> 26:39.310]  If not, you're going to use the shell of it for a different file path for a different user.
[26:39.510 --> 26:42.370]  And that's something that might be useful for you down the line.
[26:44.410 --> 26:48.230]  Now, there's some other stuff you can do with visualizations.
[26:48.230 --> 26:57.270]  So, you can actually pull in a visualization and save search as a visualization,
[26:58.570 --> 27:00.430]  or you can create your own.
[27:00.650 --> 27:03.850]  A lot of times I like to create tables and look at time frames.
[27:03.850 --> 27:06.390]  They're real good for looking at live data,
[27:06.390 --> 27:09.510]  but you can also look at over a span of time and say,
[27:09.510 --> 27:13.330]  hey, I want to see how many times this system has used SMB,
[27:13.330 --> 27:18.230]  or I want to see how many times Quad4 protocol was used.
[27:18.430 --> 27:21.210]  And then you can actually just have it on a table,
[27:21.210 --> 27:24.710]  throw it in a visualization, and pop it up any time you want to start.
[27:26.390 --> 27:31.190]  Just keep in mind, hey, this came across during this time frame that I'm already inspecting.
[27:31.430 --> 27:33.290]  And then you can use that.
[27:33.290 --> 27:38.270]  And I'll just show you a quick one here, because you can get pretty caught up in it.
[27:42.800 --> 27:44.460]  We're going to do the count here.
[28:00.790 --> 28:03.170]  We're going to aggregate it on a term.
[28:04.650 --> 28:11.810]  In the field, we're going to add, let's say, IP source.
[28:12.190 --> 28:14.230]  Excuse me, source IP.
[28:18.450 --> 28:19.810]  There it is.
[28:20.310 --> 28:23.050]  And we're going to say you want to see the top five.
[28:23.950 --> 28:27.210]  You can call that source, you can label it, whatever you want.
[28:28.750 --> 28:30.090]  Hit play.
[28:30.410 --> 28:31.530]  There you go.
[28:31.530 --> 28:37.450]  What this is showing you here is just the log counts for each of these sources here.
[28:37.530 --> 28:42.790]  That's a super quick way to start seeing, in this time frame, who was talking the most.
[28:42.790 --> 28:46.830]  Is that data exfil? Is that port scanning?
[28:46.830 --> 28:49.210]  Is that some of the stuff you want to start paying attention to?
[28:49.210 --> 28:50.750]  Look at the count of the logs.
[28:50.750 --> 28:52.850]  That's a low-level hunt that you can do.
[28:53.290 --> 28:58.170]  But you can go in and you can use the same concept and throw in protocols.
[28:58.170 --> 29:00.230]  You can make a bar graph out of it.
[29:00.230 --> 29:02.030]  You can make a pie graph out of it.
[29:02.030 --> 29:05.390]  But I like to use them more for live hunts.
[29:05.790 --> 29:09.710]  But for this exercise, you're probably going to spend most of your time in Discover.
[29:19.150 --> 29:20.190]  All right.
[29:20.850 --> 29:27.750]  I think I kind of gave you the low-level, or high-level rather, rundown of everything.
[29:27.750 --> 29:29.170]  I don't want to take up more of your time.
[29:29.170 --> 29:31.070]  You've got a lot of tools to learn today.
[29:31.450 --> 29:35.510]  And there's a lot of time you can go spend playing with Kibana.
[29:36.170 --> 29:40.370]  There's a couple of videos out there that you can do.
[29:40.370 --> 29:46.030]  I can give you all some resources if you just hit me up in the Open Sock Discord channel.
[29:46.030 --> 29:47.630]  We've got a Kibana channel.
[29:47.630 --> 29:52.730]  And then also, there's some more advanced Kibana users out there.
[29:52.730 --> 29:57.170]  I'm definitely not the know-all, but I've seen my way around it.
[29:57.490 --> 30:04.350]  But we've got an Ask for Help channel over in the Open Sock Discord willing to answer any questions.
[30:04.350 --> 30:10.450]  A lot of the Open Sock veterans that have played Open Sock before have used Kibana before.
[30:10.450 --> 30:17.270]  They've got some tips and tricks, and they can get you sorted out.
[30:17.270 --> 30:19.590]  So, thank you for your time today.
[30:19.590 --> 30:23.630]  If you need anything, again, just hit us up on the Discord, and we'll talk soon.
[30:25.950 --> 30:27.250]  Thanks a lot, TJ.
[30:27.250 --> 30:28.610]  That was a great talk.
[30:29.050 --> 30:34.130]  As he pointed out, check out the Recon Iposec Discord channel if you're looking for Open Sock questions.
[30:34.350 --> 30:37.330]  They're over there to assist you as needed.
[30:37.730 --> 30:39.190]  I appreciate it. Thanks again.
